P3P and the Future of PETs

I will be speaking on Thursday at the European Commission’s Workshop on the Economic Benefits of Privacy-enhancing Technologies in Brussels. With many calling for a revamping of ideas using metadata to help protect privacy, I felt that it was important to use the occasion to write a short paper entitled “Looking Back at P3P: Lessons for the Future,” which details the successes and failures of P3P (The Platform for Privacy Preferences).

P3P is a standard of the World Wide Web Consortium (W3C), the main standard setting body for the Web. It was created to allow privacy policies to be expressed as machine-readable statements. The history of P3P dates to a period when the privacy debate, in the United States and elsewhere, began to focus on encouraging companies to post human-readable privacy policies. As criticism increased about the complexity of those notices, there was a call to simplify them through standardization. If policies could be narrowed down to the equivalent of a multiple-choice set of options, then they could be made machine-readable.

The theory held considerable promise, if such statements would provide a clear, standardized means of rendering potentially complex privacy policies into a format that could be automatically parsed and instantly acted upon. Consumers could compare policies, enterprising companies or individuals could use P3P to develop more accurate means of rating and blocking sites, and governments could use the policies to instantaneously enforce data privacy laws.

In the end, P3P was never fully implemented as its creators had hoped. When the second working draft of the P3P specification was released in October 2000, Microsoft built P3P capabilities into Internet Explorer 6. However, those features mostly focused on utilizing cookie-blocking tools by default. Because of these decisions, one optional type of P3P policy is in widespread use among companies that place third-party cookies, demonstrating the power of a single implementation in the browser. Unfortunately, there are still no good tools that make use of the metadata, and this is why the main portion of the P3P specification is only used by a minority of Web sites today.

There have, however, been many positive stories about companies that instituted new privacy-friendly policies when confronted with having to implement P3P. The transparency that P3P offers clearly had an impact on companies when they realized P3P would make their privacy policies much more public. (During the development of the standard, two Citibank employees published a paper arguing that P3P was too transparent and expressing “concern that P3P would let ordinary users see, in full gory detail, how their personal information might be misused by less trusted or responsible web site operators.”).

A lot of good work went into P3P and as those who use third-party cookies can tell you, it is far from dead. But P3P was ultimately far too complex and there was no direct user interface built to use all of the metadata. Also, those who suggested that P3P was the answer to all privacy woes left the standard open to unnecessary attack.

Machine-readable policies, like P3P and other PETs, hold considerable promise and deserve attention. However, to create machine-readable policies that work, we need to learn from how P3P was created and promoted, study its shortcomings, and draw from the immense amount of effort put into the project, where possible. And of course, any one privacy-enhancing tool needs to be used in concert with effective legislation, policy oversight and other privacy enhancing tools.